我公司原用cisco2811路由器做VPN,模式是lan-to-lan,各分公司客户端使用路由器,无固定IP(ADSL拨号),使用一直正常。现需在2811上增加vpn client连接功能。但连接总有问题。* e1 ~) y4 I- x+ v* o
1、 原lan-to-lan配置8 x7 S1 D: l% U; u% [
状态:lan-to-lan使用正常
/ p6 A8 s x& p% E- I
. I5 G/ `6 U3 E, w( M8 l" T. Ecrypto isakmp policy 1
0 `6 l' |: b; A encr 3des - g6 ~: \! }' K, B4 i0 d
authentication pre-share
?; V q; Z: D4 b; k1 j!
- k5 ^ V- e& _% Scrypto isakmp policy 3
- h3 i2 D/ B4 x! n* |( P authentication pre-share
' _2 b% x+ Z5 |! S% Ccrypto isakmp key 123456 address 0.0.0.0 0.0.0.0
5 |& U5 h1 t( Z4 n8 I. i, z" V! % J. ?& H0 t, ^+ A
crypto ipsec transform-set VPN esp-des esp-md5-hmac
8 X. O' X4 O% F!
# q9 N, ]2 p, @crypto dynamic-map DYNMAP 1
9 W& Q- U. u& R% { set transform-set VPN * p, n, C9 v0 ` d% e; U; m/ c
match address 102
! Q3 z' u8 J1 X; {4 X, Z!
, j$ A0 B, t+ \5 dcrypto map CMAP 60000 ipsec-isakmp dynamic DYNMAP
" M; X: p/ p' f; S! \. ]
: ?. X. M1 v2 P: waccess-list 102 remark VPN_ACL IPSec Rule & L3 B6 {- V% r5 L
access-list 102 permit ip 172.18.0.0 0.0.255.255 172.19.0.0 0.0.255.255
4 Q. p4 l/ h6 g6 j2、 修改配置1
3 s4 m$ v/ e$ u* [' B: \8 }$ f状态:cisco vpn client 连接正常,可以ping通内网,但原lan-to-lan不通。
, X/ i5 j' |+ X/ W# s
7 u4 E# F2 f6 [; o' p) kcrypto isakmp policy 1 : H; ?: V) w: d& j& [/ D- Y5 f
encr 3des
* Y7 e- r6 f" M3 z8 f% C0 f/ F authentication pre-share
0 @% Z+ ?; |2 I$ E7 R group 2 新增1 ?+ N6 G2 h9 j+ e- \
!
$ r- f: I( X. s2 F5 A4 H4 Wcrypto isakmp policy 3 2 \* G; N5 G3 I- q
authentication pre-share
" B+ f8 f2 L& ^crypto isakmp key 123456 address 0.0.0.0 0.0.0.0
2 U+ B2 Z% \) F# Z) @1 H!
$ h- u4 Q+ G8 ?" @" ~' R6 J( M1 R, B$ @Crypto isakmp client configuration group test 新增' H) j8 @( N: ^" }8 g
Key test-1234
% O& W$ ?) a# ^- g1 bPool p1) \# q! ^ Y) f) d
Netmask 255.255.255.0
( m/ `; X) A, S) c2 u. t) ^!5 c5 l' E4 ]0 n; u6 b
crypto ipsec transform-set VPN esp-des esp-md5-hmac 1 f3 [0 H W' F# s9 r1 p, ^. _
crypto ipsec transform-set tran-hh esp-3des esp-md5-hmac 新增$ y; T3 V/ N9 n6 d+ Y
!; U4 Y: Q! v$ r( S5 {+ D" e
crypto dynamic-map DYNMAP 1
/ O9 E" M+ ^7 p- c1 a" B set transform-set VPN 3 E) X6 C! |3 E2 {: O. j ?
match address 102
6 E6 s% e& W5 T1 F5 {# n! : y( Q$ E8 @% J3 e+ Y
Crypto dynamic-map dy-hh 1 新增
1 g3 X |, b7 O5 V; W( ^9 W6 u* n Set transform-set tran-hh8 Y7 D; f( R6 H+ z
Reverse-route7 b1 n% @% |8 P- v; ?. H2 C
!
& b2 g8 I- a9 J2 WCrypto map CMAP isakmp authorization list test 新增
Y: k$ @6 i2 S' A8 }Crypto map CMAP client configuration address respond
+ A% i$ }4 r; t# NCrypto map CMAP 1 ipsec-isakmp dynamic dy-hh; J- w" g3 @+ M2 d( ?2 J
crypto map CMAP 60000 ipsec-isakmp dynamic DYNMAP
$ x, E* Z( A* u. i
; k* w/ }* b3 t7 E$ r4 |# Tip local pool p1 172.19.200.10 172.19.200.100
5 a/ P! X% l3 I0 B! i+ daccess-list 102 remark VPN_ACL IPSec Rule ! q$ T" y8 w1 k6 I
access-list 102 permit ip 172.18.0.0 0.0.255.255 172.19.0.0 0.0.255.255 }2 j# M5 A9 Y% L; A6 F
3 m8 j9 O+ {; M7 _. f6 {
0 ~. o$ w, c6 u" J3、 修改配置2
! |' V. s5 e# w! r3 A% x, L状态:原lan-to-lan正常,Cisco vpn client 连接通过,在路由器上show cry ipsec sa,也正确,但client客户端不能ping通内网,也就是说虽连接了,但相互网络不通。4 t C1 i* M" C- G/ F; W5 H2 ?$ a
crypto isakmp policy 3 ) H9 X8 A( o& E* k/ c& G5 X2 O
encr 3des
/ z; \+ j/ R8 [+ Z. h4 _( R. W authentication pre-share 0 }7 N0 e" ~3 L$ i* w! T7 i
group 2 - ^* x; u- Z5 ^7 g- f4 I c
!
. u. _4 e' e( e: J0 w/ Z. d7 eCrypto isakmp policy 10
, a9 a6 p" o6 f* _3 L Encr 3des" z! N7 T& g. j5 d
Authentication pre-share( V' ], K9 [9 X
! ! @1 L+ c5 c: l7 z6 S5 B
crypto isakmp key 123456 address 0.0.0.0 0.0.0.0 / K& T; ?$ W8 q8 F5 \+ Y
!
( B" {& K1 R* b) M2 ?$ [3 OCrypto isakmp client configuration group test 9 p5 ~. b% G6 I8 C3 |
Key test-1234 J- G3 s7 v: I' l5 `: R
Pool p1- Y3 h l2 M6 t( R, Z
Netmask 255.255.255.0
4 q" m" a# r% m( p!
/ s" D3 F8 \2 M# X2 L; Ecrypto ipsec transform-set VPN esp-des esp-md5-hmac ' O/ f7 C" Y3 z- ^! G/ w2 _
crypto ipsec transform-set tran-hh esp-3des esp-md5-hmac
/ Y9 B4 I/ E% N$ x2 {9 ^1 w+ M!
4 m6 y' t) g5 Kcrypto dynamic-map DYNMAP 1 无法删除,不知如何删除,还在
' E- J5 k6 w2 K2 p8 i set transform-set VPN
) m% R5 e H9 B, s4 o7 t match address 102
$ u$ H, @7 e( x& R! # }. H- N3 y( Q j
Crypto dynamic-map dy-hh 10
+ m8 d4 U) B" e5 ? Set transform-set tran-hh* Q. m; L- V" O! f
Reverse-route- }" n/ O3 w0 ^+ D- r9 M
Crypto dynamic-map site 1
' y8 p% p+ Y3 z& F. y- H, K: u6 s3 ^set transform-set VPN 7 o. N! z8 P8 T8 Q9 v+ V
match address 102 . F; b) h& u3 w4 m l/ w
% ~( U1 F! h* J9 x) J2 u!: g" D( c& |- H3 ^3 _
Crypto map CMAP isakmp authorization list test * G: t( b7 x2 O- H0 h
Crypto map CMAP client configuration address respond" m8 f( ?& A7 q. |% p% g) o& x
Crypto map CMAP 1 ipsec-isakmp dynamic site
, S9 F3 q& }$ k2 B9 l3 M$ ?Crypto map CMAP 10 ipsec-isakmp dynamic dy-hh. q* ?% s- B( C9 f
crypto map CMAP 60000 ipsec-isakmp dynamic DYNMAP 无法删除,不知如何删除,还在
& @9 h' l% @$ `/ f2 B) m. M# o
) L) ^% B% D# B2 \# g4 xip local pool p1 172.19.200.10 172.19.200.100 V2 ?6 S8 p. U$ A" K
7 [3 ^2 j' P' }
access-list 102 remark VPN_ACL IPSec Rule
6 P( j4 Z0 _9 d! b$ J- gaccess-list 102 permit ip 172.18.0.0 0.0.255.255 172.19.0.0 0.0.255.255 |
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
